Home > Information Security, Rants > Data Breach Madness!!!

Data Breach Madness!!!

January 22nd, 2009

OMFG, here we go again. Every security and compliance dork in the universe has their blood pressure up a bit since the announcement by Heartland Payments that 100 million+ payment card numbers may have been exposed. Am I in this same state of craziness? Of course, I’m a full-fledged security and compliance dork.

But I’m thinking about this more than ever. Knee-jerk reactions aside, what should we think about this? I am of the opinion that the current mode of thinking around audit and compliance DOES NOT WORK. There, I said it. This notion of auditing an organization once, checking off the boxes, and then coming back later to find that the shit has hit the fan is SILLY, people! When are we going to get around to figuring out that auditing should be a constant thing!?

I’m biased. No two ways about it, I work for a company (Configuresoft) that makes software that will literally solve this problem, so I know it can be done. A “point in time” audit is really of very little use these days. In this latest breach, the biggest issue (based on info we have so far) seems to be that changes were made to a system (malicious software was installed to monitor transactions) and NO ONE NOTICED. So when did the problem start? I dunno. How long have you been compromised? Uh, I dunno. Why don’t you know? Gosh, I dunno! This should be a “career limiting move” for someone.

Now the real question – will Heartland Payments see any loss of business? Despite all the hoopla, does anyone even care? We’ll make a big deal out of this, apologies will happen, security geeks will squawk day and night for a few months about how “important” this is, blah blah blah. Anyone looked at how TJX is doing? Just fine, thanks, they’ve had absolutely ZERO permanent effects from losing lots of our data. Until someone finally imposes crippling penalties on these companies, we’ll continue to see the cycle of
breach–>freak out–>”we’re so sorry”–>time lapse–>forgetfulness

And last time I checked, we have absolutely no cure for apathy. Damn, I feel about as optimistic as Bruce Schneier right now. Yuck.

Categories: Information Security, Rants Tags:
  1. Andrew Kalat
    January 22nd, 2009 at 12:02 | #1

    It’s almost become a regular part of business now. It has happened so often, to so many different companies, there is almost a “Shrug, well, that sucks, but it’s happening to everyone. Those darn hax0rs, they’re pretty good eh? How about coffee?” attitude now.

    Individual companies are not heavily punished because of a few things in my mind:
    1) Most regular folks don’t understand what this all means.
    2) CC numbers and fraudulent chargers are not the liability of the individual. Credit card issuers are the ones who feel the most pain on this.
    3) It’s not in the best interest of the company to admit fault or liability, but to point to external parties as the cause. “Hey, we locked our doors. We took best efforts. It’s not our fault some evil guy kicked in the front door. Blame them, not us.”

    Frankly it is very frustrating to me as well, but I don’t see the situation changing. Some companies will learn the lessons and avoid this, but we’ll never hear about them in the press. But there will always be a bell curve of security cluefulness, leaving a large number of companies with their butts hanging in the wind. They just won’t spend the money to be secure enough to mitigate this risk to an appropriate level. They don’t think it’s worth it.

  2. January 22nd, 2009 at 16:30 | #2

    A problem is that credit card issuers aren’t the ones who feel the most pain on this. The pain is felt by the merchants who mistakenly accept stolen credit cards (especially card not present). I think the only way we are really going to get a handle on this is by improving the transaction authorization process.

Comments are closed.